A METHOD AND AN APPARATUS FOR DETERMINING A DIGITAL PRINT REPRESENTATIVE OF A STATE OF AN EXTERNAL NON-VOLATILE MEMORY

Abstract

 The invention relates to an embedded system (110) comprising an external non-volatile memory (100) composed of a plurality of memory cells and a processing unit (101) comprising a secure memory (103) containing a memorized value MEM_ID attributed to said processing unit (101), the processing unit (101) being configured to determine a digital print DP_calc identifying a state of the external non-volatile memory (100) by: identifying a set of at least one memory cell of the external non-volatile memory (100) by applying a function F1 using the memorized value MEM_ID as an input; providing at least one wear level WL_n associated to the one or several memory cells belonging to said set of at least one memory cell; determining the digital print DP_calc by applying a function F3 to the at least one wear level WL_n.

Description

TECHNICAL FIELD

[0001] The present invention relates to a method and an apparatus for determining digital print representative of a state of an external non-volatile memory. It is applicable to the technical domain of securing embedded systems.

BACKGROUND OF THE INVENTION

[0002] According to the Recommendation ITU-T Y.2060 provided by the International Telecommunication institute, the Internet of things (loT) is defined as a global infrastructure for the information society, enabling advanced services by interconnecting physical and virtual things based on existing and evolving interoperable information and communication technologies. A thing is an object of the physical world (physical things) or the information world (virtual things), which is capable of being identified and integrated into communication networks. At present, loT is generally applied in fields such as security surveillance, automatic vending machines, public traffic systems, vehicle monitoring and management, industry process automatization, motor machineries, city informationalization.

[0003] In this description, the expression loT device refers to a piece of equipment with communication capabilities and optionally capacity of data capture, sensing, data storage, sensing and/or data processing. An loT device comprises for example a wireless communication module also called Machine Type Communication (MTC) module allowing transmission of data from one loT device to another or exchange of data between machines through UMTS/HSDPA, CDMA/EVDO, LTE, 5G, LoRa or other networks. It also comprises a computing system composed for example of a processing unit and an associated non-volatile memories (NVM).

[0004] The processing unit is for example a microprocessor, a system-on-chip (SoC) processing unit or a secure element.

[0005] The non-volatile memory (NVM) associated to the processing unit can be of different types. For example, one can find today non-volatile memories available on the market which can be erased and reprogrammed. Two common examples of existing non-volatile random access memories (NVRAM) are electrically erasable programmable read-only memory (EEPROM) and Flash memory technologies which are both widely used in today's systems.

[0006] Embedded systems are examples of computing systems for which specific constraints such as real time processing has to be taken into account. Embedded systems are widely used for implementing the Internet-of Things (loT) ecosystem and billions of devices are expected to be deployed on the field. Systems architects and designers need to address several security issues.

[0007] In particular, as the loT devices and their embedded systems are deployed on the field, these can be easily accessible for malevolent marauders which are skilled to implement security attacks such as rollback attack. A rollback attack aims at modifying a computing system for it to run an older, insecure and/or modified software version rather than the genuine version which can make the computing system more vulnerable to potential attacks.

[0008] Another type of attack to be considered during the design phase of an embedded system is the so-called replay attack which reuses data which is for example stored in the memory of the embedded system. Both rollback and replay attacks may therefore be conducted by accessing and modifying the content of the non-volatile memory. When the memory is implemented externally to the processing means of the embedded systems which may be secured, data can be modified for running some of the aforementioned attacks. This is the case for example when a secure enclave cooperates with an external memory.

[0009] In this description, the expression external memory refers to a memory implemented by the embedded system, but which is not internal to the processing means. It can be for example connected to the processing unit using a data bus. The external memory can be soldered together with the processing unit on a printed circuit or accessing through a memory card reader in case the memory is removable.

[0010] In addition, the expression secure enclave refers to a secure area that is adapted to process data and protect their integrity and confidentiality and comprising a set of at least one hardware and/or software components. This secure enclave can be implemented for example into a processor in the form of a Trusted Execution Environment (TEE) or as a secure element embedded in a system or integrated in a System-on-Chip (SoC).

[0011] One important weakness of an embedded system having processing means cooperating with an external memory is that a fraudulent user may replace the genuine external memory implemented in the embedded system by its own external memory with its own data for conducting attacks such as rollback or replay attacks.

[0012] State-of-the-art mechanisms can be used against the aforementioned attacks. For example, well known anti-replay mechanisms relying on the use of a one-time programmable (OTP) memory can be used advantageously. An example is provided in the publication of the international patent application WO2011073435A1. A drawback of this type of countermeasure is the large amount of one-time programmable memory required for being efficient on a long term perspective. Other existing alternatives can also be considered, such as using an internal flash memory or a secure external flash memory but these solutions are expensive and not flexible.

[0013] Therefore, there is a need for a solution allowing to secure the use of a memory of an embedded system which minimizes the needs for additional one-time programmable memory while allowing a flexible implementation of the embedded system.

SUMMARY OF THE INVENTION

[0014] The invention relates to an embedded system comprising an external non-volatile memory composed of a plurality of memory cells and a processing unit comprising a secure memory containing a memorized value MEM_ID attributed to said processing unit, the processing unit being configured to determine a digital print DP_calc identifying a state of the external non-volatile memory by:

• identifying a set of at least one memory cell of the external non-volatile memory by applying a function F1 using the memorized value MEM_ID as an input;
• providing at least one wear level WL_n associated to the one or several memory cells belonging to said set of at least one memory cell;
• determining the digital print DP_calc by applying a function F3 to the at least one wear level WL_n.

[0015] According to an embodiment, the digital print DP_calc is used for authenticating the external non-volatile memory by the processing unit by comparing said digital print DP_calc with a reference digital print DP_ref memorized by the processing unit, the reference digital print DP_ref being previously calculated using the same mechanism applied to the genuine external memory, the external non-volatile memory being authenticated if the digital print DP_calc matches with the reference digital print DP_ref.

[0016] According to an embodiment, the one or several memory cells belonging to the set of memory cells identified using the memorized value MEM_ID is preserved from being used for storing data.

[0017] According to an embodiment, the reference digital print DP_ref is memorized in the processing unit and determined by during the manufacturing of the embedded system when it is associated to the external memory.

[0018] According to an embodiment, the reference digital print DP_ref can also be re-calculated by the processing unit periodically or upon request.

[0019] According to an embodiment, the set of memory cells identified using the memorized value MEM_ID is artificially worn out by applying a plurality of programming and erasure (P/E) cycles in order to update the reference digital print DP_ref, said reference digital print DP_ref being updated by using the newly wear levels.

[0020] According to an embodiment, the first function F1 is injective.

[0021] The invention also relates to a method for determining a digital print DP_calc identifying the state of an external non-volatile memory composed of a plurality of memory cells by a processing unit comprising a secure memory containing a memorized value MEM_ID attributed to said processing unit, the method being applied by the processing unit and comprising the steps of:

• identifying a set of at least one memory cell of the external non-volatile memory by applying a function F1 using the memorized value MEM_ID as an input;
• providing at least one wear level WL_n associated to the one or several memory cells belonging to said set of at least one memory cell;
• determining the digital print DP_calc by applying a function F3 to the at least one wear level WL_n.

[0022] According to an embodiment, the method comprises the step of comparing the digital print DP_calc with a reference digital print DP_ref memorized by the processing unit, the reference digital print DP_ref being previously calculated using the same mechanism applied to the genuine external memory, the external non-volatile memory being authenticated if the digital print DP_calc matches with the reference digital print DP_ref.

[0023] According to an embodiment, the function F1 is injective.

[0024] The invention also relates to a processing unit comprising a secure memory containing a memorized value MEM_ID attributed to said processing unit, the processing unit being configured to be associated with an external non-volatile memory and to carry out the steps of the above method.

[0025] According to an embodiment, the secure memory is a one-time programmable (OTP) memory.

[0026] According to an embodiment, the memorized value MEM_ID is a unique identifier of said processing unit.

[0027] According to an embodiment, the memorized value MEM_ID is a random number generated and memorized in the processing unit during its manufacturing.

[0028] According to an embodiment, the processing unit comprises a baseband communication chip, the memorized value MEM_ID being an International Mobile Equipment Identity (IMEI).

BRIEF DESCRIPTION OF THE DRAWINGS

[0029] Additional features and advantages of the invention will be more clearly understandable after reading a detailed description of several embodiments of the invention, given as an indicative and non-limitative example, in conjunction with the following drawings:

• Figure 1 is an example of architecture of an embedded system implementing a mechanism to generate a digital print representative of a state of an external non-volatile memory;
• Figure 2 illustrates the evolution of the wear level of a memory cell;
• Figure 3 provides an example flow chart with several steps designed to authenticate an external memory;
• Figure 4 illustrates schematically how a value memorized in a processing unit can be used for determining a list and possibly an order of the listed memory cells;
• Figure 5 provides an example of process leading to a wear value using the measurement performed by a measurement controller associated to the external memory.

DETAILED DESCRIPTION

[0030] Figure 1 is an example of architecture of an embedded system implementing a mechanism to generate a digital print representative of a state of an external non-volatile memory.

[0031] The embedded system 110 is composed of a processing unit 101 and an external persistent memory 100. The processing unit 101 is for example a secure enclave or a system on chip (SoC) comprising a central processing unit 102 and a one-time programmable memory (OTP) 103 adapted to memorize an identifier. According to a preferred embodiment, this identifier is a unique identifier attributed to the processing unit. As the processing unit is integrated in the embedded system, it can be used for identifying the system. For example, an loT device, can be identified using this identifier. This unique identifier can be generated and provided by the manufacturer of the processing unit or by the original equipment manufacturer (OEM) embedding the device.

[0032] The external memory 100 is also implemented in the embedded system but is not integrated in the processing unit 101. The external memory 100 and the processing unit 101 are able to communicate using an hardware interface 104, for example a serial or parallel data bus.

[0033] According to an embodiment, the external persistent memory comprises a measurement controller 120 allowing the estimate the wear level of the cells composing the external persistent memory.

[0034] The described mechanism aims at determining a digital print identifying a state of the external non-volatile memory (100). For that purpose, one or several measurements of the memory wear level of a predefined set of memory cells are used.

[0035] This mechanism can also be used by the processing unit to authenticate the external memory in order to detect if this is the genuine one which is in use or another external memory replacing the genuine enabling a fraudster to conduct an attack.

[0036] A memory cell is a building block of a memory system. Binary data is stored by applying erase/write cycles to the memory cells composing the memory system.

[0037] Figure 2 illustrates the evolution of the wear level of a memory cell.

[0038] The wear level of a memory cell is a strictly increasing function 200 of its usage. A memory cell can only wear out, it cannot regenerate. As such, it can be considered as a monotonic, irreversible, function of its usage. In the example of Figure 2, the current memory wear level is indicated 201 and it is illustrated that it can only increase over time.

[0039] A memory cell wears out as a function of its usage. The performance of memory cells deteriorates as a function of the number of the programming and erasure cycles (P/E). More precisely, these cycles cause memory cells to gain some extra charge and the accumulation of this charge over time leads to wear-out of the memory cells. Measurements of the wear level are used in existing technologies for implementing wear-leveling mechanism aiming at prolonging the longevity of the memory system, such as the one described in the publication of the US patent application US20160335178A1 entitled "Systems And Methods For Utilizing Wear Leveling Windows with Non-Volatile Memory Systems".

[0040] In case of a Flash memory, programming and erasure (P/E) cycling causes damage to the tunnel oxide of the memory cells in the form of charge trapping in the oxide and interface states. This physical phenomenon is detailed in the article of P. Olivo, B. Ricco, and E. Sangiorgi entitled "High Field Induced Voltage Dependent Oxide Charge", Applied Physics Letter, vol. 48, pp. 1135-1137, 1986. The memory cell wear-out caused by P/E cycling is proportional to the programmed threshold voltage level. Therefore, a way to estimate the wear level of a memory cell is to estimate this programmed threshold voltage or its shift over time. For that purpose, a threshold voltage shift measurement controller measuring a threshold voltage of a charge loss measurement for each cell in each memory block of a flash memory device can be implemented in order to determine a wear level of the memory block according to the measured threshold voltage. An example of such technique is described in the publication US20090168524A1 of the US patent application entitled "Wear level estimation in analogue memory cells". Another technology to estimate the wear level of a memory cell us to use its timing and analogue characteristics. For example, the number of retries needed for erasing a given memory cell in order to reach a predefined charge level can be used as an indicator of the wear level.

[0041] It is interesting to note that temperature variations can slightly influence the wear level measurement of a memory cell. Therefore, according to an embodiment, a temperature sensor can be implemented in the embedded system and the measured temperature value can be used for improving the accuracy of the wear level measurements.

[0042] One important aspect of the invention is that the wear level of a predetermined set of memory cells is used to authenticate the external memory. The aim is to generate a footprint that is unique for a given memory when used in conjunction with a given processing unit. For that purpose, a set of memory cells belonging to the external memory is determined. The selection process implemented for determining the one or several memory cells composing this set is dependent of the processing unit. In other words, the selected set of memory cells is such that it allows to bound the processing unit with the external memory, providing the property of anti-cloning. According to an example, the selection of the set of cell can be derived from a value MEM_ID memorized securely in the processing unit. It can be for example a unique identifier or a random seed provisioned in the processing unit at the manufacturing stage. This value can for example be memorized in a one-time-programmable memory which is implemented in the processing unit.

[0043] According to an embodiment, if the processing unit refers to a baseband communication chip, the memorized value MEM_ID can be the International Mobile Equipment Identity (IMEI). As the IMEI is generally written in an one-time programmable memory, the modification needed to implement the invention is advantageously minimized.

[0044] Figure 3 provides an example flow chart with several steps designed to authenticate an external memory.

[0045] The first step 300 is designed to identify the set of one or several memory cells that will allow the bounding of a given processing unit with the external memory. For that purpose, a first function F1 can implemented by the processing device to determine the memory cells belonging to the aforementioned set from a predetermined value memorized in the processing unit.

[0046] According to an example, the first function F1 can be chosen as a trivial identity function. The memorized value MEM_ID corresponds for example to the concatenation of several memory cell addresses.

[0047] According to another example, the first function F1 is a pseudo random number generator (PRNG) using the memorized value MEM_ID as a seed.

[0048] A given memory cell can be identified by a physical raw address. The memory cell addresses provided as an out after applying the first function F1 using the memorized value MEM_ID as an input are noted in the sequel X_1, X_2, ...,X_N. The person skilled in that art will understand these addresses can be those of a memory page, a memory block, a sector, a bank, or any addressable memory area depending of the memory technology in use, an addressable memory area corresponding to a memory cell in the context of this invention.

[0049] Figure 4 illustrates schematically how a value memorized in a processing unit can be used for determining a list and possibly an order of the listed memory cells.

[0050] According to an embodiment, the function F1 is injective with the advantage of having a unique set of memory cells associated to each of the possible values MEM_ID memorized in the processing unit. In that case, applying F1 to two different chip identifiers MEM_ID(1) and MEM_ID(2) will lead to two different sets and orders 400, 401 of memory cells.

[0051] The memorized value MEM_ID is for example an identifier of a chip implementing the processing unit.

[0052] The one or several outputs X_1, X_2, ..., X_N obtained by applying function F1 using the memorized value as an input therefore correspond to a set of physical addresses corresponding to the set of memory cells to be involved in the process of generating a digital print.

[0053] Then, a second steps 301 aims at providing the wear level of the memory cells identified at step 300. For that purpose, a threshold voltage shift measurement controller can be used. It is for example implemented in the external memory and measuring a threshold voltage of a charge loss measurement M_n for each of the n-th cells of the selected set of cells with n ∈ [1, N].

[0054] Figure 5 provides an example of process leading to a wear value using the measurement performed by a measurement controller associated to the external memory.

[0055] A value WL_n can be provided for each of the memory cells belonging to the set identified at step 300 by applying a second function F2 to the measurement obtained from the controller:

[0056] Alternatively, the measurements M_n are taken directly as the wear levels, in that case, one have:

[0057] Figure 6 illustrates the process of determining a digital print using the wear levels of a selected set of memory cells.

[0058] Once the wear levels of the identified memory cells are collected, a step 302 is applied with the aim of determining a digital print DP_calc derived from the collected wear levels. A third function F3 can be used for that purpose:

[0059] Function F3 is chosen such that different combinations of wear level values lead to different digital print values.

[0060] According to an embodiment, the function F3 is a hash function such as SHA-256.

[0061] According to another embodiment, the function F3 corresponds to a Cyclic Redundancy Code (CRC) function.

[0062] According to another embodiment, the function F3 is chosen for generating a digital signature. Function corresponds for example to a Digital Signature Algorithm (DSA).

[0063] Then, a step 303 compares the digital print DP_calc with a reference digital print DP_ref and if these are identicals, the memory is authenticated.

[0064] On the contrary, if the digital print DP_calc differs from the reference digital print DP_ref, a critical event is detected and appropriate actions can be applied by the processing unit. A non-limitative list of examples of so-called appropriate actions is: log event, burn a fuse of a one-time- programmable memory (OTP) indicating a security critical error event, self-destruct by wiping a critical memory area upon security error detection, system mute, forcing the system to reboot, notification of a suspected attack.

[0065] According to an embodiment, the reference digital print DP_ref is determined by the embedded system at the manufacturing stage. This value can also be updated during the life-time of the embedded system.

[0066] As the wear level of a memory cell increases over time depending of its use, there are several options that can be implemented for making sure that the reference digital print DP_ref is up to date for enabling the authentication of a genuine external memory.

[0067] According to an embodiment, the one or several memory cells belonging to the set of memory cells associated to the memorized chip identifier is preserved from being used for storing data. This can be carried out by the memory management of the software implemented by the processing unit. Therefore, these are not subject to programming and erasure (P/E) cycles and consequently their wear level remain steady over time.

[0068] According to another embodiment, the reference digital print DP_ref can also be re-calculated by the processing unit periodically or upon request. This is particularly useful if the memory cells belonging to the set of memory cells associated to the memorized chip identifier are used for storing data and not subject to subject to programming and erasure (P/E) cycles.

[0069] According to another embodiment, one or several memory cells belonging to the set of memory cells associated to the memorized chip identifier can be artificially worn out by applying a plurality of programming and erasure (P/E) cycles in order to update the reference digital print DP_ref. The skilled person will understand that the reference digital print DP_ref has to be recalculated and memorized securely by the chip implementing the processing unit.

[0070] For calculating the reference digital print DP_ref, the same method is used than the one used for calculating DP_calc. The reference digital print DP_ref is calculated or re-calculated preferably at a time where the measured external memory is trusted as the genuine one. For example, the reference digital print DP_ref can be initialized during the manufacturing of the embedded system, when the external memory is associated to the processing unit.

Claims

1. An embedded system (110) comprising an external non-volatile memory (100) composed of a plurality of memory cells and a processing unit (101) comprising a secure memory (103) containing a memorized value MEM_ID attributed to said processing unit (101), the processing unit (101) being configured to determine a digital print DP_calc identifying a state of the external non-volatile memory (100) by:

- identifying a set of at least one memory cell of the external non-volatile memory (100) by applying a function F1 using the memorized value MEM_ID as an input;

- providing at least one wear level WL_n associated to the one or several memory cells belonging to said set of at least one memory cell;

- determining the digital print DP_calc by applying a function F3 to the at least one wear level WL_n.

2. An embedded system (110) according to claim 1, wherein the digital print DP_calc is used for authenticating the external non-volatile memory by the processing unit (101) by comparing said digital print DP_calc with a reference digital print DP_ref memorized by the processing unit (101), the reference digital print DP_ref being previously calculated using the same mechanism applied to the genuine external memory, the external non-volatile memory (100) being authenticated if the digital print DP_calc matches with the reference digital print DP_ref.

3. An embedded system (110) according to any of the preceding claims, wherein the one or several memory cells belonging to the set of memory cells identified using the memorized value MEM_ID is preserved from being used for storing data.

4. An embedded system (110) according to any of claims 2 or 3, wherein the reference digital print DP_ref is memorized in the processing unit and determined by during the manufacturing of the embedded system when it is associated to the external memory.

5. An embedded system (110) according to any of claims 2 to 4, wherein the reference digital print DP_ref can also be re-calculated by the processing unit periodically or upon request.

6. An embedded system (110) according to any of claims 2 to 5, wherein the set of memory cells identified using the memorized value MEM_ID is artificially worn out by applying a plurality of programming and erasure (P/E) cycles in order to update the reference digital print DP_ref, said reference digital print DP_ref being updated by using the newly wear levels.

7. An embedded system (110) according to any of the preceding claims, wherein the first function F1 is injective.

8. A method for determining a digital print DP_calc identifying the state of an external non-volatile memory (100) composed of a plurality of memory cells by a processing unit (101) comprising a secure memory (103) containing a memorized value MEM_ID attributed to said processing unit (101), the method being applied by the processing unit (101) and comprising the steps of:

- identifying (300) a set of at least one memory cell of the external non-volatile memory (100) by applying a function F1 using the memorized value MEM_ID as an input;

- providing (301) at least one wear level WL_n associated to the one or several memory cells belonging to said set of at least one memory cell;

- determining (302) the digital print DP_calc by applying a function F3 to the at least one wear level WL_n.

9. Method according to claim 8, comprising the step of comparing (303) the digital print DP_calc with a reference digital print DP_ref memorized by the processing unit, the reference digital print DP_ref being previously calculated using the same mechanism applied to the genuine external memory, the external non-volatile memory (100) being authenticated (304) if the digital print DP_calc matches with the reference digital print DP_ref.

10. A method according to any of claims 8 or 9, wherein the function F1 is injective.

11. A processing unit (101) comprising a secure memory (103) containing a memorized value MEM_ID attributed to said processing unit (101), the processing unit (101) being configured to be associated with an external non-volatile memory (100) and to carry out the steps of the method according to any of claims 8 to 10.

12. A processing unit according to claim 11, wherein the secure memory is a one-time programmable (OTP) memory.

13. A processing unit according to any of claims 11 to 12, wherein the memorized value MEM_ID is a unique identifier of said processing unit.

14. A processing unit according to any of claims 11 to 13, wherein the memorized value MEM_ID is a random number generated and memorized in the processing unit during its manufacturing.

15. A processing unit according to any of claims 12 comprising a baseband communication chip, the memorized value MEM_ID being an International Mobile Equipment Identity (IMEI).

Drawing